11:20 a.m.
(See my other mail on the subject here:
http://redhat.com/archives/fedora-test-list/2007-March/msg00295.html )
Something in selinux-policy-2.5.8-4.fc7 (and I think -3 as well) is
denying ldconfig permission to create symlinks in /tmp. mkinitrd uses
ldconfig to set up the symlinks in the initrd it creates (in a temp dir
under /tmp), so then nash won't load (missing ld-linux.so.2), so your
system won't boot.
Here's the relevant info, triggered when installing a new kernel (which
runs mkinitrd):
avc: denied { create } for comm="ldconfig" egid=0 euid=0
exe="/sbin/ldconfig" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="ld-linux.so.2" pid=4613 scontext=user_u:system_r:ldconfig_t:s0
sgid=0 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=lnk_file
tcontext=user_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0
Hope this helps,
-w
1:06 p.m.
On Fri, 2007-03-16 at 12:20 -0400, Will Woods wrote:
Here's the relevant info, triggered when installing a new kernel
(which
runs mkinitrd):
avc: denied { create } for comm="ldconfig" egid=0 euid=0
exe="/sbin/ldconfig" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="ld-linux.so.2" pid=4613 scontext=user_u:system_r:ldconfig_t:s0
sgid=0 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=lnk_file
tcontext=user_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0
Hope this helps,
-w
Hello to all,
Ive been following this issue on several other list and here is what
seems to be the problem as far as some FedoraProject see's the issue..
Look at ->
http://fedoraproject.org/wiki/F7Test2/ReleaseNotes
->
[Problems with mkinitrd]
they mention the rpm ordering issue and updating anaconda via an
.img pkg
This is my first mail to the list, glad to be here.
Kind Regards,
Euman
1:26 p.m.
On Fri, 2007-03-16 at 14:06 -0400, Euman wrote:
Ive been following this issue on several other list and here is what
seems to be the problem as far as some FedoraProject see's the issue..
Look at ->
http://fedoraproject.org/wiki/F7Test2/ReleaseNotes
->
[Problems with mkinitrd]
they mention the rpm ordering issue and updating anaconda via an
.img pkg
That's a different bug.
That bug is a problem with the installer trying to install the mkinitrd
package - it would sometimes get stuck in an infinite loop on 64-bit
machines.
My problem is that the SELinux policy is denying mkinitrd some
permissions it needs to be able to create a working initrd.
Or, rather, it *was* - it seems to work with selinux-policy-2.5.8-5.fc7.
The changelog mentions prelink, not ldconfig, so I'm not sure what
actually changed and whether the problem is really fixed or if I'm just
not seeing it now.
How could I get a diff between the two policies?
Thanks,
-w
1:28 p.m.
On Fri, 2007-03-16 at 18:26 +0000, Will Woods wrote:
My problem is that the SELinux policy is denying mkinitrd some
permissions it needs to be able to create a working initrd.
Or, rather, it *was* - it seems to work with selinux-policy-2.5.8-5.fc7.
The changelog mentions prelink, not ldconfig, so I'm not sure what
actually changed and whether the problem is really fixed or if I'm just
not seeing it now.
Whoops, strike that - I didn't get an setroubleshoot popup, but the
initrd is still broken.
-w
8:22 a.m.
On Fri, 2007-03-16 at 18:26 +0000, Will Woods wrote:
On Fri, 2007-03-16 at 14:06 -0400, Euman wrote:
> Ive been following this issue on several other list and here is what
> seems to be the problem as far as some FedoraProject see's the issue..
>
> Look at ->
> http://fedoraproject.org/wiki/F7Test2/ReleaseNotes
>
> ->
> [Problems with mkinitrd]
>
> they mention the rpm ordering issue and updating anaconda via an
> .img pkg
That's a different bug.
That bug is a problem with the installer trying to install the mkinitrd
package - it would sometimes get stuck in an infinite loop on 64-bit
machines.
My problem is that the SELinux policy is denying mkinitrd some
permissions it needs to be able to create a working initrd.
Or, rather, it *was* - it seems to work with selinux-policy-2.5.8-5.fc7.
The changelog mentions prelink, not ldconfig, so I'm not sure what
actually changed and whether the problem is really fixed or if I'm just
not seeing it now.
How could I get a diff between the two policies?
If you want a comparison of the actual kernel binary policies, you can
use sediff from setools to display a semantic diff of them.
--
Stephen Smalley
National Security Agency
8:09 a.m.
On Fri, 2007-03-16 at 12:20 -0400, Will Woods wrote:
(See my other mail on the subject here:
http://redhat.com/archives/fedora-test-list/2007-March/msg00295.html )
Something in selinux-policy-2.5.8-4.fc7 (and I think -3 as well) is
denying ldconfig permission to create symlinks in /tmp. mkinitrd uses
ldconfig to set up the symlinks in the initrd it creates (in a temp dir
under /tmp), so then nash won't load (missing ld-linux.so.2), so your
system won't boot.
Here's the relevant info, triggered when installing a new kernel (which
runs mkinitrd):
avc: denied { create } for comm="ldconfig" egid=0 euid=0
exe="/sbin/ldconfig" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="ld-linux.so.2" pid=4613 scontext=user_u:system_r:ldconfig_t:s0
sgid=0 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=lnk_file
tcontext=user_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0
We shouldn't allow ldconfig to create files with rpm_script_tmp_t
(private temporary file type for rpm scriptlets), so something is wrong
here. How is the parent directory created?
--
Stephen Smalley
National Security Agency
3:21 p.m.
On Mon, 2007-03-19 at 09:09 -0400, Stephen Smalley wrote:
On Fri, 2007-03-16 at 12:20 -0400, Will Woods wrote:
> Here's the relevant info, triggered when installing a new kernel
(which
> runs mkinitrd):
>
> avc: denied { create } for comm="ldconfig" egid=0 euid=0
> exe="/sbin/ldconfig" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
> name="ld-linux.so.2" pid=4613 scontext=user_u:system_r:ldconfig_t:s0
> sgid=0 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=lnk_file
> tcontext=user_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0
We shouldn't allow ldconfig to create files with rpm_script_tmp_t
(private temporary file type for rpm scriptlets), so something is
wrong here. How is the parent directory created?
It's created by 'mktemp -d' in mkinitrd:
MNTIMAGE=`mktemp -d ${TMPDIR}/initrd.XXXXXX`
[create directory layout in $MNTIMAGE]
mkdir -p $MNTIMAGE/lib/firmware
[copy binaries and libraries into $MNTIMAGE]
/sbin/ldconfig -r "$MNTIMAGE"
This is running as part of the kernel RPM's %post script, so it makes
some sense that the target would have a context of rpm_script_tmp_t.
As you can see, mkinitrd *does* require that ldconfig be able to create
symlinks with rpm_script_tmp_t (or some other tmp_t). Otherwise we end
up with non-bootable initrds, which is what we're seeing in rawhide
right now.
-w
4:48 p.m.
On Mon, 2007-03-19 at 16:21 -0400, Will Woods wrote:
As you can see, mkinitrd *does* require that ldconfig be able to
create
symlinks with rpm_script_tmp_t (or some other tmp_t). Otherwise we end
up with non-bootable initrds, which is what we're seeing in rawhide
right now.
dwalsh built a new selinux-policy package (2.5.8-8.fc7) which fixes this
problem for me. The new package should be public in rawhide tomorrow, so
we'll find out for sure if it's fixed then.
Thanks for all your help, folks!
-w
6247
days inactive
6250
days old
selinux@lists.fedoraproject.org
7 comments
3 participants
participants (3)
-
Euman -
Stephen Smalley -
Will Woods